CVE-2025-65805: OAI CN5G AMF: Unauthenticated buffer overflow, RCE/DoS
HIGH CISA: TRACK*OpenAirInterface CN5G AMF (<=v2.1.9) contains a stack-based buffer overflow (CWE-121) triggered by sending an IMSI string exceeding 1000 characters to the N1 interface — no authentication, no user interaction, network-accessible. This matters to AI security teams because 5G core infrastructure underpins edge AI deployments, autonomous systems, and IoT sensor networks that feed AI pipelines; a compromised AMF can sever connectivity for entire 5G network slices. With 13,670 downstream dependents and an OpenSSF score of only 6.3/10, the blast radius extends well beyond direct adopters. No public exploit or CISA KEV entry exists today, but the trivial attack complexity (just craft an oversized IMSI and hit port N1) means weaponization is low-effort. Upgrade to a version beyond v2.1.9 immediately; if patching is blocked, restrict N1 interface access to trusted UE management networks via firewall rules and monitor for anomalous NAS message lengths.
What is the risk?
High risk for organizations running OpenAirInterface-based 5G core deployments, particularly private 5G networks supporting AI edge inference, industrial IoT, or autonomous systems. CVSS 7.5 reflects the unauthenticated, network-accessible, zero-user-interaction nature of the flaw. No EPSS data available, but attack complexity is low — a single malformed NAS registration request is sufficient. The DoS path is certain; RCE likelihood depends on memory layout, ASLR/stack canary controls, and runtime hardening of the specific build. The absence of a patch version in the advisory increases residual risk.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| OpenAI Python | pip | — | No patch |
Do you use OpenAI Python? You're affected.
How severe is it?
What is the attack surface?
What should I do?
6 steps-
Patch: Upgrade OAI CN5G AMF beyond v2.1.9 as soon as a fixed release is available — monitor the upstream repository (last push: 2026-04-04).
-
Network segmentation: Restrict access to the N1 interface (UE-to-AMF) to known, trusted network segments; block external/untrusted sources at the firewall perimeter.
-
Input validation workaround: If running a custom build, apply an input-length guard on IMSI parsing in NAS message handlers prior to buffer write operations.
-
Detection: Alert on NAS Registration Request messages containing IMSI fields >64 bytes (valid IMSIs are 15 digits); correlate with AMF process crashes or restarts.
-
Runtime hardening: Confirm the deployed binary is compiled with stack canaries (-fstack-protector-strong), ASLR enabled, and NX/DEP to constrain RCE exploitability.
-
Inventory: Audit all private 5G deployments — OAI is common in academic, research, and industrial IoT environments that may also run AI workloads.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2025-65805?
OpenAirInterface CN5G AMF (<=v2.1.9) contains a stack-based buffer overflow (CWE-121) triggered by sending an IMSI string exceeding 1000 characters to the N1 interface — no authentication, no user interaction, network-accessible. This matters to AI security teams because 5G core infrastructure underpins edge AI deployments, autonomous systems, and IoT sensor networks that feed AI pipelines; a compromised AMF can sever connectivity for entire 5G network slices. With 13,670 downstream dependents and an OpenSSF score of only 6.3/10, the blast radius extends well beyond direct adopters. No public exploit or CISA KEV entry exists today, but the trivial attack complexity (just craft an oversized IMSI and hit port N1) means weaponization is low-effort. Upgrade to a version beyond v2.1.9 immediately; if patching is blocked, restrict N1 interface access to trusted UE management networks via firewall rules and monitor for anomalous NAS message lengths.
Is CVE-2025-65805 actively exploited?
No confirmed active exploitation of CVE-2025-65805 has been reported, but organizations should still patch proactively.
How to fix CVE-2025-65805?
1. Patch: Upgrade OAI CN5G AMF beyond v2.1.9 as soon as a fixed release is available — monitor the upstream repository (last push: 2026-04-04). 2. Network segmentation: Restrict access to the N1 interface (UE-to-AMF) to known, trusted network segments; block external/untrusted sources at the firewall perimeter. 3. Input validation workaround: If running a custom build, apply an input-length guard on IMSI parsing in NAS message handlers prior to buffer write operations. 4. Detection: Alert on NAS Registration Request messages containing IMSI fields >64 bytes (valid IMSIs are 15 digits); correlate with AMF process crashes or restarts. 5. Runtime hardening: Confirm the deployed binary is compiled with stack canaries (-fstack-protector-strong), ASLR enabled, and NX/DEP to constrain RCE exploitability. 6. Inventory: Audit all private 5G deployments — OAI is common in academic, research, and industrial IoT environments that may also run AI workloads.
What systems are affected by CVE-2025-65805?
This vulnerability affects the following AI/ML architecture patterns: Edge AI inference over 5G, Industrial IoT AI pipelines, Autonomous vehicle connectivity, Private 5G-connected model serving.
What is the CVSS score for CVE-2025-65805?
CVE-2025-65805 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.32%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0006 Active Scanning AML.T0029 Denial of AI Service AML.T0049 Exploit Public-Facing Application Compliance Controls Affected
What are the technical details?
Original Advisory
OpenAirInterface CN5G AMF<=v2.1.9 has a buffer overflow vulnerability in processing NAS messages. Unauthorized remote attackers can launch a denial-of-service attack and potentially execute malicious code by accessing port N1 and sending an imsi string longer than 1000 to AMF.
Exploitation Scenario
An adversary targeting an organization's private 5G network (e.g., a smart factory using edge AI for quality control) scans for open N1 interface ports on the AMF host. They send a crafted NAS Registration Request with an IMSI value of 1001+ characters. The oversized string overflows the stack buffer in the AMF's NAS message parser, crashing the AMF process and immediately disconnecting all AI-enabled edge devices on the 5G slice — halting real-time inference, disrupting production lines, and creating a window for physical or logical follow-on attacks. A more sophisticated actor uses the same primitive to attempt RCE: by controlling the overflow payload to overwrite the return address (if stack protections are absent or bypassable), they execute shellcode in the context of the AMF process, gaining a foothold on the 5G core host and access to internal network segments hosting AI model serving infrastructure.
Weaknesses (CWE)
CWE-121 — Stack-based Buffer Overflow: A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
- [Operation, Build and Compilation] Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include: the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice, which provide various mechanisms including canary-based detection and range/index checking. D3-SFCV (Stack Frame Canary Validation) from D3FEND [REF-1334] discusses canary-based detection in detail.
- [Architecture and Design] Use an abstraction library to abstract away risky APIs. Not a complete solution.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References
Timeline
Related Vulnerabilities
CVE-2025-53767 10.0 Azure OpenAI: SSRF EoP, no auth required (CVSS 10)
Same package: openai CVE-2023-3686 9.8 QuickAI: unauthenticated SQLi exposes OpenAI API keys
Same package: openai CVE-2025-66786 7.5 OAI CN5G AMF: unauthenticated JSON DoS on 5G SBI interface
Same package: openai CVE-2025-26265 6.5 openairinterface5g: segfault enables DoS via crafted UE message
Same package: openai CVE-2025-7021 6.5 OpenAI Operator: fullscreen spoofing captures credentials
Same package: openai